b'U.S. Department of                       Inspector General        Office of Inspector General\nTransportation                                                    Washington, DC 20590\nOffice of the Secretary\nof Transportation\n\nJune 17, 2010\n\nThe Honorable James L. Oberstar\nChairman, Committee on Transportation\n and Infrastructure\nUnited States House of Representatives\nWashington, DC 20515\n\nThe Honorable Jerry F. Costello\nChairman, Subcommittee on Aviation\nCommittee on Transportation\n and Infrastructure\nUnited States House of Representatives\nWashington, DC 20515\n\nDear Chairmen Oberstar and Costello:\n\nOn November 19, 2009, 129 of the Nation\xe2\x80\x99s air traffic facilities experienced an outage\nof the Federal Aviation Administration\xe2\x80\x99s (FAA) telecommunications that delayed\nthousands of travelers and grounded hundreds of flights nationwide. As you\nrequested, we conducted a review to (1) identify the cause of the FAA\nTelecommunications Infrastructure (FTI) outage, (2) review FAA\xe2\x80\x99s corrective action\nplan to prevent future critical outages, (3) examine FAA\xe2\x80\x99s ability to oversee FTI and\nthe contractor, and (4) identify oversight vulnerabilities or best practices of other\ncritical systems in the National Airspace System (NAS) owned or operated by the\nprivate sector.\n\nSummary\nThe November 2009 FTI outage raised questions about FAA\xe2\x80\x99s and the prime\ncontractor\xe2\x80\x99s (Harris Corporation) ability to effectively manage FTI as well as the\nintegrity of the network design and whether it can support initiatives for the Next\nGeneration Air Transportation System (NextGen). Specifically, we found:\n\n  \xe2\x80\xa2 A Harris technician incorrectly configured an FTI router (which directs air traffic\n    data, such as flight plans, through the network) at Los Angeles Center. The error\n    caused the FTI network to send air traffic data on the wrong routes, which blocked\n\n\nCC-2010-012\n\x0c                                                                                                                         2\n\n\n      approximately 75 percent of the routes across the FTI fiber optic network. Service\n      restoration was delayed for 5 hours because an automatic tool that alerts\n      technicians to network failures and their locations did not work as intended.\n      Therefore, Harris technicians could not readily identify the source of the problem,\n      which could have minimized the impact of the error on the NAS.\n\n    \xe2\x80\xa2 FAA and Harris have taken corrective actions to prevent another critical outage.\n      These include deactivating the FTI legacy network and router configuration design\n      (which are now obsolete) that caused the outage and fixing the automatic alert\n      tool. However, both FAA and Harris officials acknowledged that there is still a\n      risk of critical outages as new NextGen services are added to FTI\xe2\x80\x99s new fiber optic\n      network.\n\n    \xe2\x80\xa2 FAA\xe2\x80\x99s oversight of the FTI contractor could have been more effective. FAA was\n      unaware that Harris officials had configured the network in error and made other\n      procedural errors. In 2008, we recommended that FAA develop improved\n      controls over the contractor\xe2\x80\x99s FTI equipment configuration and take steps to\n      prevent unscheduled outages and restore them on time to improve service\n      reliability. 1 While FAA agreed to take action, we found it still has problems\n      ensuring FTI services are restored within contractual requirements. To its credit,\n      FAA plans to address this and other FTI issues, in response to the findings of an\n      independent review panel convened to investigate the November outage.\n\n    \xe2\x80\xa2 FAA has not developed best practices to oversee NAS systems not owned or\n      operated by the Government even though it is increasingly shifting more\n      acquisitions and services to the private sector to reduce costs. Moreover, FAA\xe2\x80\x99s\n      internal reports have concluded that FAA and Harris need to identify FTI network\n      vulnerabilities\xe2\x80\x94a critical step highlighted by the fact that the program office for\n      the Automatic Dependent Surveillance-Broadcast (ADS-B), a key NextGen\n      system, has decided against using FTI due to network reliability and security\n      concerns.\n\nBackground\nThe FTI network provides voice, data, and video communications that support\noperations at more than 4,000 FAA facilities and remote sites nationwide, as well as\nsome Department of Defense facilities.          The network provides more than\n25,000 telecommunications circuits and service delivery points, upgraded switching\nand routing services, and centralized network monitoring and control. As a major\ncontributing system to NextGen, initiatives are underway to further upgrade the FTI\nfiber optic network to increase capacity, or bandwidth; 2 provide greater flexibility;\n1\n    OIG Report Number AV-2008-089, \xe2\x80\x9cFAA\xe2\x80\x99s Progress and Challenges in Meeting FTI Transition Goals,\xe2\x80\x9d\n    September 30, 2008. OIG reports are available on our website: www.oig.dot.gov.\n2\n    Bandwidth refers to a data rate measured in bits per second, such as network throughput (i.e., the average data rate of\n    successful data transfer through a communications path).\n\n\nCC-2010-012\n\x0c                                                                                                                          3\n\n\nand continue to reduce latency. 3 FAA\xe2\x80\x99s mission for FTI is to achieve an integrated\nsuite of products, services, and business practices to better meet the\ntelecommunications needs of the NAS. With FTI, FAA will transition from\ntraditional dedicated circuits to on-demand service where appropriate. According to\nFAA, these services will provide lower unit cost, more efficient bandwidth utilization,\nimproved information security, and state-of-the-art business processes and\ntechnology.\n\nIn July 2002, FAA awarded an Indefinite Delivery Indefinite Quantity contract to\nHarris to begin transitioning FTI into the NAS and to provide management and\nsupport functions for the FTI network. FAA does not own the network, and its\ncontract with Harris is essentially a 15-year lease that expires in 2017 and covers the\ncost of acquiring, operating, and maintaining the FTI network. The contract has a\ncurrent maximum value of $1.4 billion and a ceiling amount of $3.5 billion, with no\nlimits on quantities, meaning there is almost no limit on Harris\xe2\x80\x99 ability to sell\nadditional services to FAA until the ceiling is reached. FAA has expended about\n$1.2 billion on the contract and currently spends about $146 million annually on the\nFTI program.\n\nHarris Configuration and Procedural Errors Caused the FTI Outage and\nDelayed Service Restoration\nOn November 19, 2009, FAA\xe2\x80\x99s FTI system experienced a NAS-wide outage while\nHarris was transitioning FTI Internet Protocol (IP) services from a legacy network to\nthe new FTI Operations Internet Protocol (OPIP) fiber optic network. 4 Our review\nfound the root cause of the outage occurred when a Harris engineer incorrectly\nconfigured one of several temporary routers (known as Logical Transition Bridges)\nbetween the old and new networks. These \xe2\x80\x9cbridges\xe2\x80\x9d were installed at the 26 core FTI\nsites with different route maps to allow continued flow and separation of air traffic\ninformation (e.g., flight plans and weather data) across both networks and prevent\nrouting problems during the network transition. The configuration error essentially\nwent unnoticed and ultimately created a \xe2\x80\x9cdomino effect\xe2\x80\x9d across the FTI network when\nall circuits on the new fiber optic network failed, resulting in 820 flight delays.\n\nSpecifically, all Air Route Traffic Control Centers (ARTCC), Network Enterprise\nManagement Centers, and the FAA Command Center did not have the data they rely\non to manage flights when multiple FAA systems were affected by the FTI outage.\nThese included the following:\n\n\n3\n    Latency expresses how much time it takes for data to get from one designated point to another. Excessive latency creates\n    bottlenecks that prevent data from filling the network pipe, thus decreasing effective bandwidth.\n4\n    IP typically uses various routing and communications procedures and communicates with multiple sites simultaneously.\n    IP services do not use the actual Internet; they just follow similar procedures. With FTI, IP services were previously\n    carried over the Asynchronous Transfer Mode circuits. In the new fiber optic network, IP services are now carried over\n    optical circuits, which will increase bandwidth and reduce data latency.\n\n\nCC-2010-012\n\x0c                                                                                      4\n\n\n \xe2\x80\xa2 Enhanced Traffic Management Service, which provides information on a national\n   level to predict traffic surges, gaps, and volumes based on current and anticipated\n   airborne aircraft.\n \xe2\x80\xa2 National Airspace Data Interchange Network, which distributes flight plan data,\n   weather information, and other air traffic control messages within the NAS.\n \xe2\x80\xa2 National Defense Program Surveillance, which provides surveillance data from\n   FAA long- and short-range radar to Department of Defense and Department of\n   Homeland Security agencies.\n\nThe error that led to the outage and flight delays was first made on October 21, 2009,\nwith the temporary router installed at Los Angeles Center, during the Salt Lake City\nCenter\xe2\x80\x99s transition to the fiber optic network. The error essentially made the FTI\nnetwork \xe2\x80\x9cbelieve\xe2\x80\x9d that air traffic information could be routed either locally within Los\nAngeles airspace or between Los Angeles and Salt Lake City airspace. When the link\nbetween the two facilities was reestablished after installation, the authorized routes\nbetween the networks and Los Angeles and Salt Lake City resumed operations,\nmasking the error, which remained dormant in the system.\n\nOn November 19, 2009, a Harris engineer took down the link between Los Angeles\nand Salt Lake City Center to place a new router in service on the FTI fiber optic\nnetwork at Los Angeles. The new router also contained the configuration error, since\nthe route map (which failed to define the authorized traffic between the two networks)\nwas copied from the replaced router. The error occurred because the engineer failed\nto append a needed \xe2\x80\x9cno\xe2\x80\x9d statement to the configuration file after replacing the router\nand before reestablishing the link between the two facilities. As a result, when the\nlink went live, the network sent air traffic data on the wrong routes between the\nairspace locations and resulted in multiple outages. According to Harris officials, the\nfailure to append the \xe2\x80\x9cno\xe2\x80\x9d statement caused the network to begin using the wrong\nroutes and sending network traffic through Los Angeles, which impacted services at\n129 facilities instead of the 21 that should have been impacted. The error also broke\ndown the separation between the old and new networks, causing routing errors when\nthe FTI network began sending all network traffic through Los Angeles Center to Salt\nLake City Center. The link between the two facilities did not have the bandwidth to\nsupport all traffic, and approximately 75 percent of routes were blocked across the\nFTI fiber optic network for 5 hours while Harris tried to find the problem.\n\nHarris eventually started restoring services after technicians discovered that taking a\ncore router offline at Salt Lake City eased the problem. The FTI network had over-\nutilized core routers at that site when channeling all the additional traffic over from\nLos Angeles. Regardless of the initial error, the impact on the NAS could have been\nminimized if Harris had identified the source of the problem sooner. We found the\nfollowing procedural breakdowns contributed to delayed recognition of the problem:\n\n\nCC-2010-012\n\x0c                                                                                     5\n\n\n \xe2\x80\xa2 An automated tool that alerts Harris personnel to network failures when any router\n   central processing unit exceeds 60 percent of its utilization for 10 minutes did not\n   work as intended. This was due to a configuration error that suppressed the wrong\n   alarms. As a result, a filter meant to silence recurring alarms for only a specific\n   router at FAA\xe2\x80\x99s Technical Center caused the alarms to be filtered for all routers on\n   the FTI network.\n \xe2\x80\xa2 Once Harris engineers were made aware of the outages, they started pursuing the\n   wrong problem. They initially looked at backing out configuration changes to the\n   network routers at the Los Angeles ARTCC and the Herndon, Virginia, Command\n   Center, since the two most recent maintenance actions had been at these sites.\n \xe2\x80\xa2 Harris mistakenly thought another router supporting Los Angeles ARTCC was the\n   problem. Harris engineers were having trouble accessing the router remotely and\n   sent a technician to reset the router manually. Harris later found that this router\n   was not the problem, but this was a temporary distraction that further delayed\n   service restoration.\n \xe2\x80\xa2 Harris could not initially determine whether FTI was being over-utilized. Spot\n   checks of core routers at other sites (but not Salt Lake City Center) did not\n   indicate a general high-utilization level on other routers.\n\nFAA Has Taken Corrective Actions To Prevent a Recurrent Outage, but\nthe Risk of Future Critical Outages Remains\nFAA has eliminated the possibility that the events leading to the November 2009\ncritical outage could reoccur. As of December 13, 2009, all IP services were cutover\nfrom the legacy network to the new FTI fiber optic network, thereby eliminating the\nneed for the temporary routers between the two networks. As a result, Harris has\ndeactivated the legacy networks and the route map configuration design used during\nthe transition. Harris officials state they have also corrected the problems with the\nautomatic alert tool. In addition, Harris is working to require support personnel to\nactively monitor the FTI network during future maintenance releases that involve\ninstalling or replacing core routers.\n\nHowever, both FAA and Harris officials acknowledge that an inherent risk of critical\noutages remains since Harris plans to transition more existing services and new\nNextGen services to the FTI fiber optic network. Additionally, Harris will face\nchallenges and risks as it continues to design and build out the new fiber optic\nnetwork, which is expected to support future services.\n\nRisks of FTI Outages for Existing Operational Services\nAs of December 2009, Harris reported that there are a total of 20,982 services\noperating on the FTI network. While FAA has transitioned all 1,808 IP services\nsupporting FAA flight plans to the new FTI fiber optic network, additional risks will\n\n\nCC-2010-012\n\x0c                                                                                                                        6\n\n\nbe introduced when the Agency begins transitioning other FAA services, such as En\nRoute Automation Modernization (ERAM) and NextGen platforms, which also\nrequire IP technology to operate. 5 Moreover, there are 19,174 existing services that\nmay be transitioned to the new FTI fiber optic network. According to FAA,\ntransitioning these remaining services is important because FTI now connects older\nFAA systems that provide safety-critical voice and surveillance radar information by\nutilizing Time Division Multiplex (TDM) technology, instead of IP services. 6 Table 1\ndescribes the current technologies supporting FTI services, and the percentage of\nservices operating over the two FTI networks.\n\n      Table 1. FTI Services Operating on the Fiber Optic and Legacy Networks\n                              (as of December 2009)\n Technology                       Backbone                        Number of                 Percent of FTI\n Supporting                     Infrastructure                     Services                   Services\n FTI Services\nIP                      FTI Fiber Optic Network                       1,808                        8.6%\n\nTDM                     FTI Legacy Network                           19,174                       91.4%\nPoint-to-Point\n    Total                                                            20,982                       100%\nSource: OIG Analysis of Harris and FAA Briefings\n\nFAA required Harris to begin transitioning about 1,492 of the remaining services to\nthe FTI fiber optic network in April 2010; the transition will last several months.\nHowever, FAA has yet to determine whether the remaining 17,682 services will be\ntransitioned to the new FTI fiber optic network but plans to conduct analyses to\ndetermine feasibility.\n\nMoreover, critical voice and surveillance data communications services continuing to\noperate over the FTI legacy network (e.g., AT&T and Sprint networks are used to\nsupport the 17,682 FTI services) are still vulnerable to outages because Harris has\nlittle control over how these networks are managed. For example, according to a\nNovember 2009 internal FAA study, Harris confirmed either the complete lack or\ninadequate proof of diversity 7 between FTI primary and alternate network paths at\nseveral critical facilities\xe2\x80\x94including FAA\xe2\x80\x99s Technical Center and Baltimore Air\nTraffic Control Tower. According to Harris officials, FTI sites that supposedly had\ndiversity no longer had it after AT&T or Sprint made upgrades to their network.\nTherefore, FAA\xe2\x80\x99s installation of the new FTI fiber optic network was also an effort to\n\n5\n    The $2.1 billion ERAM program will replace the existing hardware and software at facilities that manage high-altitude\n    traffic.\n6\n    FTI remaining services use Time Division Multiplex (TDM) technology. Specifically, they require a circuit connection\n    between two end points that utilize TDM technology to transport voice and data. The TDM services are considered\n    critical because they transport FAA\xe2\x80\x99s critical voice and radar data information in this manner throughout the NAS.\n7\n    For the purposes of this report, we refer to diversity as instances where there is not adequate separation between FTI\n    primary and alternative paths. We did not examine FTI\xe2\x80\x99s overall architecture or design.\n\n\nCC-2010-012\n\x0c                                                                                      7\n\n\nmaintain the diversity and redundancy of critical FTI services through a dedicated\ninfrastructure where only the Government (and its contractor) could provide and\nsupport services to avoid the diversity violations encountered with FTI services\noperated over the legacy network.\n\nRisks Regarding FTI Support for NextGen Initiatives\nAccording to FAA, the new FTI fiber optic network also establishes the foundation\nfor the telecommunications architecture required to support NextGen initiatives.\nHowever, FTI program officials stated that they have yet to determine whether the\nfiber optic network can support NextGen and plan to further assess the network to\ndetermine its integrity and ability to support these services. As FAA continues to\nmodernize the NAS, increased usage of IP services is expected. For example,\nemerging NextGen technologies, such as the System Wide Information Management\nand Data Communications, will be IP-based and will be implemented on FTI.\nHowever, FAA has yet to establish a timeframe for implementing these services.\n\nMoreover, concerns about FTI have already caused the ADS-B program office to\ndecide against using FTI to provide its telecommunications services. The ADS-B\ncontractor (ITT Corporation) stated that ADS-B requires high service availability and\nlow latency for services to be provided as proposed in the contract. For example, the\nADS-B service requires that an ADS-B report be delivered to Air Traffic Control\nautomation within 700 milliseconds of receipt at a radio station and that services can\nbe restored within 6 seconds (e.g., safety-critical capability.) The loss of this\ncapability raises to an unacceptable level the risk associated with providing safe and\nefficient local NAS operations. At the time of the contract award in 2007, ITT did not\nbelieve FTI could meet these requirements.\n\nFAA also faces challenges as Harris continues to design and build out the FTI fiber\noptic network to make it more stable and capable of supporting advanced NextGen\ntechnologies. For example, Harris is upgrading several locations that support eight\nCenters (i.e., facilities that manage high-altitude traffic.) While the upgrades, slated\nfor completion in fiscal year 2011, could improve the reliability and efficiency of\nnetwork traffic, they could also introduce risks to network operations if not properly\nplanned and managed. To address FAA\xe2\x80\x99s safety requirements and provide a back-up\ncapability, Harris is also building out the FTI fiber optic network to support FAA\xe2\x80\x99s\nBusiness Continuity Plan (BCP) initiative. The BCP concept effectively creates a\ntemporary Center at the William J. Hughes Technical Center in the event of a long-\nterm Center outage due to natural disasters (e.g., storms, fires, etc.). Harris has\ninstalled the necessary equipment at the Technical Center to implement the spare\nCenter concept. However, this is considered only an interim step for continuity\nplanning as FAA must still transition thousands of small remote sites and about\n300 larger sites to the new FTI fiber optic network. This will allow Harris to reroute\n\n\n\nCC-2010-012\n\x0c                                                                                                               8\n\n\nservices more efficiently in the event of a disaster.                       However, FAA has yet to\ndetermine if or when these sites will be transitioned.\n\nThe new FTI fiber optic network also has vulnerabilities with potential outages and\nsecurity risks that will require sustained management and oversight. The new\nnetwork is designed to reduce the risks of future widespread failures because it is\npartitioned by en route airspace using Border Gateway Protocols (BGP), and the\nseparate domain will assist in containing any network anomalies to specific delegated\nairspace. However, according to the National Institute of Standards and Technology,\nthe use of BGP does not come without risks. 8 For example, if the BGP routing\nprotocol fails to carry out the routing function, portions of the network may become\nunusable for periods of time\xe2\x80\x94ranging from minutes to hours. While most of the risks\nto BGP come from accidental failures, there is also a security risk that attackers could\ndisable part or the entire network. Therefore, it is imperative that FAA and Harris\ninstitute proper controls to ensure the safety and security of the FTI fiber optic\nnetwork.\n\nFAA\xe2\x80\x99s Oversight of FTI Vulnerabilities and the Contractor Should Have\nBeen More Proactive\nFAA\xe2\x80\x99s oversight of FTI and Harris was not as effective as it should have been.\nAlthough FAA has three representatives on-site at the Harris facility to monitor FTI\noutages and managers at the two FAA Network Enterprise Management Centers, they\nhave limited ability to oversee FTI. FAA tends to have a reactive, rather than\nproactive approach to assessing network vulnerabilities. For example, at the time of\nthe outage, neither FAA nor Harris could readily identify the root cause of the outage\nor what corrective actions were needed to resolve it.\n\nIn 2008, we recommended that FAA improve its processes and procedures for\nrestoring FTI outages within contractually established timeframes to meet reliability,\nmaintainability, and availability (RMA) standards. While FAA agreed to take action,\nit continues to have problems ensuring FTI services are restored within contract\nrequirements. FTI services vary depending on the RMA levels. For example, RMA-1\nservices such as radar must be restored within 6 seconds. However, RMA-4 services,\nsuch as En Route Air to Ground Communications, account for about 80 percent of\nFTI services and must be restored within 3 hours. At the time of our audit, we found\nthat an average of 7 percent of FTI services experienced outages and were not\nrestored on time. While this may seem like a small percentage, the trend has not\nimproved, with just over 8 percent of FTI services not meeting availability\nrequirements as of December 2009 (see table 2).\n\n\n\n8\n    National Institute of Standards and Technology, Special Publication 800-54, Border Gateway Protocol Security,\n    June 2007.\n\n\nCC-2010-012\n\x0c                                                                                                                       9\n\n\n                      Table 2. Percent of Individual Services Not Meeting\n                                 Minimum RMA Requirements\n    RMA Level*              Meeting                Not Meeting                   Total              Percent Not\n                          Requirement              Requirement                                        Meeting\n                                                                                                    Requirement\n       RMA 1                    313                       21                      334                 6.29 %\n       RMA 2                   1,543                      73                     1,616                4.52 %\n       RMA 3                    861                       61                      922                 6.62 %\n       RMA 4                   19,188                    1,888                  21,076                8.96 %\n       RMA 5                   1,937                      87                     2,024                4.30 %\n       RMA 7                    134                        9                      143                 6.29 %\n    All Services               23,976                    2,139                 26,115**               8.19 %\nSource: Total of 26,115 FTI services included in the individual service information data in the December 2009\nFTI Performance and Management Report. This is based on the past 12-month reporting period.\n\nTo its credit, after the November 2009 outage, FAA established several independent\ngroups to review the cause of the outage. These groups include FAA\xe2\x80\x99s Safety Event\nResponse Team, an internal group sponsored by the FTI program office, and another\ngroup of experts chartered by the FAA Administrator. 9 The Administrator\xe2\x80\x99s group\nwas further tasked to review the integrity of the FTI architectural design, FTI\xe2\x80\x99s ability\nto support NextGen initiatives, and any potential threats of future, critical outages.\nThis group was also asked to examine whether Harris has adequate personnel,\nprocesses, and technology deployed to provide a robust communications network with\nadequate security and backup capabilities to meet FAA\xe2\x80\x99s needs. The FAA\nAdministrator\xe2\x80\x99s group issued its report on April 20, 2010, noting several steps FAA\nshould take to improve oversight of FTI and its contractor. Many of these bolster our\nanalysis of actions needed to improve oversight of NAS systems owned and operated\nby the private sector, which is further discussed below.\n\nFAA Has Not Developed Best Practices To Oversee NAS Systems Not\nOwned or Operated by the Government\nOver the last several years, FAA has sought to transition more acquisitions and\nservices to the private sector to reduce cost. For example, FAA transitioned Flight\nServices Stations (FS-21) and FTI programs and is deploying the ADS-B\ninfrastructure, which will be a service-based system owned and operated by the\nprivate sector. FAA plans to rely on a similar approach to develop and implement\nData Communications, which will be another multibillion-dollar investment. Despite\nthis shift in its implementation strategy, FAA has not assessed best practices for\noverseeing systems not owned or operated by the Government. The ATO\xe2\x80\x99s Chief\n\n9\n    The panel convened by the FAA Administrator was made up of the following participants: the Chief Information Officers\n    from FAA, FAA\xe2\x80\x99s Air Traffic Organization, and DOT; FAA\xe2\x80\x99s Assistant Chief Counsel for Acquisition and Commercial\n    Law; the Assistant to the President and U.S. Chief Technology Officer; the Chief; Executive Officer of Noblis,\n    Incorporated; and the former Director of Command, Control, Communications, and Computer Systems.\n\n\nCC-2010-012\n\x0c                                                                                    10\n\n\nOperating Officer has stated that a paradigm shift in FAA\xe2\x80\x99s oversight is needed for\nsuch systems.\n\nBased on discussions with FAA officials and our review of the two independent\nreports recently issued, FAA needs to be more proactive in assessing and addressing\nFTI network vulnerabilities. FTI program officials acknowledged the need to develop\nan in-house capability to monitor FTI network performance. To address this\nvulnerability, FAA states it is developing a new automated toolset to monitor FAA\nsystems operating on FTI\xe2\x80\x99s OPIP fiber optic network. While the toolset does not\nallow FAA to directly monitor the status of the FTI network, this is a good first step;\nhowever, it is too early to assess its adequacy. Ultimately, a new oversight approach\nfor NAS systems provided and serviced by the private sector is needed. We identified\nthe following actions FAA should consider for FTI and other systems it does not own\nor operate\xe2\x80\x94many of which could also address several areas noted in the independent\nreview groups\xe2\x80\x99 recommendations listed in the enclosure to this letter:\n\n \xe2\x80\xa2 Ensure sufficient in-house expertise by providing training and experienced staff\n   to the FAA team charged with oversight of the contractor.\n \xe2\x80\xa2 Use modeling, simulation, and network monitoring tools to examine failure mode\n   simulation, routing configuration changes, and alarms for unexpected and\n   significant routing changes.\n \xe2\x80\xa2 Ensure the use of a quality management system that includes checklists, peer\n   review, and validation/verification for system changes.\n \xe2\x80\xa2 Create a government/industry team responsible for identification of\n   vulnerabilities, recommendations to improve survivability, and research into new\n   and improved methods of building high-availability networks.\n \xe2\x80\xa2 Require independent periodic reviews of existing and proposed network\n   architectures.\n\nConclusion\nFTI plays a significant role in the U.S. aviation system\xe2\x80\x94the largest and safest system\nin the world. Maintaining this safety record and transforming the system to meet\nfuture demand depends on reliable equipment and technology, which will become\nmore complex as FAA continues the transition to NextGen. While the events that led\nto the November 2009 outage were legitimate causes for concern, FAA has taken\nsteps to prevent a recurrence, and other actions are planned. As FAA continues to\nimplement FTI, it is imperative that the Agency exercise due diligence and become\nmore proactive in overseeing the contractor\xe2\x80\x99s performance and addressing FTI\nnetwork vulnerabilities. It will be important for FAA to follow through with plans to\nreview FTI architecture to assess whether it can support NextGen. At a minimum,\nFAA should use and document best practices to more effectively oversee Harris and\n\n\nCC-2010-012\n\x0c                                                                                   11\n\n\nFTI vulnerabilities. Until FAA fully addresses this issue, the potential for oversight\nlapses and service outages remains.\n\nWe are encouraged by FAA\xe2\x80\x99s announcement on April 20, 2010, that it is accepting\nthe findings and recommendations of the independent review panel assigned to\ninvestigate the November 2009 outage. FAA is still determining the best way to\nimplement the recommendations, which are aimed at improving overall FTI reliability\nas well as FAA\xe2\x80\x99s internal procedures for dealing with outages. Another review on the\nreliability of FTI to carry critical navigation, communication, and other NextGen\nservices is pending. Therefore, we are not making any formal recommendations at\nthis time. However, we will continue to monitor FTI and report on FAA\xe2\x80\x99s progress in\naddressing these issues as necessary.\n\nWe discussed the results of our review with the Director of Air Traffic Control\nCommunications Services and incorporated his comments where appropriate. If you\nhave any questions, please contact me at (202) 366-1959 or Matthew E. Hampton,\nDeputy Assistant Inspector General for Aviation and Special Program Audits, at (202)\n366-0500.\n\nSincerely,\n\n\n\nCalvin L. Scovel III\nInspector General\n\nEnclosure\n\ncc: Secretary of Transportation\n    Federal Aviation Administrator\n\n\n\n\nCC-2010-012\n\x0c                                                                                                     Enclosure\n\n\n\n      Recommendations of the FAA Administrator\xe2\x80\x99s Independent Review Panel\nThe FAA Administrator\xe2\x80\x99s independent review panel assessing the cause of the\nNovember 19, 2009, outage issued its report on April 20, 2010. The report detailed a\nnumber of recommendations to improve the reliability of FTI and FAA\xe2\x80\x99s internal\ncommunications and procedures for dealing with an FTI outage. 10 The panel\xe2\x80\x99s\nrecommendations included the following:\n\n     1. Consider using automated tools to implement router configuration changes and\n        to support independent verification procedures.\n\n     2. Review maintenance operations and associated checklist design from a human\n        factors and risk reduction perspective to help minimize the potential for human\n        errors. Consider using the FAA\xe2\x80\x99s Aviation Safety (AVS) and external experts in\n        this review.\n\n     3. Implement end-to-end situational awareness of the network, both Local Area\n        Networks (LANs) and the FTI, as well as including appropriate applications.\n\n     4. Implement a capability to report network and application service outages and\n        describe the impact to FAA customers (internal and external) using a common\n        language.\n\n     5. Consider developing a functional model of the FAA\xe2\x80\x99s FTI network to simulate\n        and test configuration changes and upgrades.\n\n     6. Consider a needs assessment of the FTI workforce staffing and skill levels to\n        ensure adequate levels of network technical support at all times.\n\n     7. Consider modifying the FTI contract award fee and/or performance incentive\n        structure based on the observations in this report.\n\n     8. Provide an alternate means for rapid and standardized entry of flight plan\n        information into the National Airspace System (NAS) to mitigate failures in the\n        flight plan filing system.\n\n     9. Evaluate the ADS-B and FTI network architectures to determine the viability of\n        using each as potential back-up for selected services of the other.\n\n     10. Perform a review of currently identified essential services and categorize them\n         according to priorities in support of NAS safety and capacity.\n\n\n10\n     \xe2\x80\x9cFAA Telecommunication Infrastructure Review Panel Report on November 19, 2009, Outage,\xe2\x80\x9d Federal Aviation\n     Administration, Washington, D.C., issued April 20, 2010.\xe2\x80\x9d The full report and recommendations can be found at:\n     http://www.faa.gov/air_traffic/publications/media/FTI_Phase1.pdf.\n\n\nCC-2010-012\n\x0c'